In this chapter, we will introduce you to the governance and life cycle settings that are available to you as a Microsoft Teams administrator. You will learn how to use templates for setting up Teams and how to create policies for the setup of Microsoft 365 groups. We will also show you how to apply classification settings, expiration policies, and naming policies to Microsoft 365 groups for Microsoft Teams.
In this chapter, we're going to cover the following main topics:
In this chapter, you will need to have access to the Microsoft Teams admin center, which you can reach at https://admin.teams.microsoft.com. You will need to be either a global administrator or a Teams service administrator in order to carry out the steps covered in this chapter.
You will also need to be able to access Windows PowerShell in order to configure settings for who in your organization can create Microsoft 365 groups.
Creating a team is quick and easy and can be done by users from within Microsoft Teams itself, or by administrators from the Teams admin center. When you create a team, however, it provides you with some very basic team settings and the single General channel, and you will have some work to do to customize the team for your needs.
This is where Teams templates come in. If you have a set of channels, apps, and settings that you would like to be immediately available when you create a new team, templates can provide this. A template for a team can include all the structure definitions relating to your business requirements. In this section, we will show you how to use the pre-built templates included in Teams, and how to create your own templates.
There are several pre-built Teams templates now available in Microsoft Teams. You can create a new team from one of these templates by completing the following steps:
Administrators may view the available Teams templates from the Teams admin center at https://admin.teams.microsoft.com and by navigating to Teams | Team templates:
The pre-built templates are shown in Figure 3.12:
Important note
The pre-built templates may not be edited. However, you can use the Duplicate option to copy the template settings to your own custom template.
Next, let's look at how to create your own custom templates.
In addition to using the pre-built templates, it is also possible to create custom templates. This can be done from the Teams admin center and comprises the following steps:
Now let's look at some of the current Teams template capabilities.
Microsoft has advised that more features will be added to templates over time, but at the time of writing, the following features and settings are available and may be configured with Teams templates:
The following features are currently not available:
Important note
Teams templates are currently limited to 15 channels per template, 20 tabs per channel in a template, and 50 apps per template.
Next, we will show you how to manage the creation of Microsoft 365 groups using policies.
One of the challenges faced by Microsoft Teams administrators is the fact that all users have the ability by default to create Microsoft 365 groups. Microsoft 365 groups are used and associated with many things within Microsoft 365, and among these is the fact that when a Team is created from scratch, a Microsoft 365 group is also created.
This can lead to challenges such as teams being created without expiration policies and then forgotten and discarded. As a result, administrators have the challenge of cleaning up surplus or orphaned teams and Microsoft 365 groups.
One way to address this challenge is to limit who in your organization can create Microsoft 365 groups. This is achieved by using Windows PowerShell and by completing the following steps.
Important note
In order to implement the following process, the administrator who configures the group creation settings, and any members of the security group that we will be creating, must be assigned an Azure AD Premium license.
The first step is to create a security group that contains any users that you wish to have permission to create Microsoft 365 groups:
Install-module azureadpreview
Below is the output of the preceding command:
$AzureADCred = Get-Credential
Connect-AzureAD -Credential $AzureAdcred
The results of the preceding commands are shown in Figure 3.24:
$GroupName = "M365 group creators"
$AllowGroupCreation = "False"
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
The preceding script sets the target security group name and then ensures that only members of this group may create Microsoft 365 groups.
Important note
Note that the $GroupName parameter at the start of the preceding PowerShell command must match the name of the security group shown in Figure 3.24 – which is M365 group creators in this example.
The output of the preceding script is shown in Figure 3.25, which illustrates the M365 group creators security group being set as the only group that has permissions to create Microsoft 365 groups:
Important note
The preceding steps will not prevent users who have privileged roles such as global administrator from creating Microsoft 365 groups.
Next, we will show you the process of setting up classifications, expiration policies, and naming policies using Microsoft 365 groups.
In this section, you will learn about the classification feature, expiration policies, and naming policies, and how these three features may be configured using Microsoft 365 groups that are associated with Microsoft Teams. We will start with the group classification feature.
The group classification feature enables users who can create Microsoft 365 groups to create visual descriptions (much like labels) that can provide descriptive information about the group.
Important note
Microsoft now recommends using sensitivity labels in conjunction with Microsoft 365 groups in preference over group classification. However, as the exam outline has not been changed to reflect this at the time of writing, we will focus on the classification feature in this section. Links to sensitivity labeling in relation to Microsoft 365 will be included in the Further reading section at the end of the chapter.
Group classifications can be created using Windows PowerShell. Examples of classification settings are the following:
An example of how this could work is shown as follows with the creation of a classification list. You will need to be connected to Azure AD in PowerShell as shown previously in the chapter:
$setting["ClassificationList"] = "Normal, Confidential, Highly Confidential"
Now that we have our classification list created, we need to apply some descriptions to those list items. This is achieved as follows:
$setting["ClassificationDescriptions"] = "Normal: General, Confidential: Internal only, Highly Confidential: Executive access only"
Now that you have your list of classifications and their associated descriptions, you may set a classification to a chosen new or existing Microsoft 365 group as shown in the following examples:
Set-UnifiedGroup [email protected] -Classification Normal
Or use the following:
New-UnifiedGroup [email protected] -Classification Confidential -AccessType Private
Next, we will examine expiration policies.
Expiration policies are a means of managing the life cycle of your Microsoft 365 groups to ensure that they are deleted when they are no longer used or required. To configure an expiration policy, we need to complete the following steps:
When expiration settings have been applied to a Microsoft 365 group, the following conditions will apply:
You should consider configuring an expiration policy for your Microsoft 365 groups as it will help to prevent stale or orphaned groups within Azure AD.
Now, let's look at naming policies for Microsoft 365 groups.
A group naming policy is a means of applying a naming convention for Microsoft 365 groups when they are created. This can be highly useful for administrators to identify the function of a group and provides the ability to create and manage a blocked word list for group names or aliases.
To create a group naming policy, we need to complete the following steps:
Important note
If Microsoft teams or groups are set up by users who have privileged roles such as a global administrator, the group naming policy will not be applied.
In this section, we described how to use Microsoft 365 groups to configure classification features, expiration policies, and naming policies.
Next, we will go through the process of archiving, restoring, or deleting a team.
The teams that you have in your Microsoft 365 environment may not be needed indefinitely. In this situation, there are several things you can do to ensure that stale or unused teams are removed and that only currently used teams remain active.
In this section, we will show you the options that you have to archive, restore, or fully delete teams.
If there are any teams in your Microsoft 365 environment that are no longer in active use, but there may be a future requirement to access them, then you have the option to archive that team. Once you archive a team, any files and conversations within it are changed to read-only.
To archive a team, we need to complete the following steps:
Next, we will show you how to restore an archived team.
The steps to restore an archived team are equally simple:
Archiving is a simple way of moving unused teams out of the active teams list and then restoring them should they become needed again.
Important note
It is also possible to archive teams from the Microsoft Teams admin center, in the Teams | Manage Teams section.
Next, we will show you how to delete a team.
While archiving a team is easily reversed, deleting a team is a more permanent action. When a team is deleted, the mailbox and calendar for the team are removed from Exchange and the associated SharePoint site will be deleted, as will any OneNote notebooks, Planner plans, Power BI, or Stream content.
When a team is deleted, administrators or team owners can recover it within a 30-day period.
To delete a team, take the following steps:
The team will now be completely deleted.
In this chapter, we introduced you to the principles of creating teams using the built-in Teams templates that are available. We also showed you how to create your own Teams templates from the Teams admin center. You also learned how to set up a policy to control who in your organization can create Microsoft 365 groups.
In addition, we showed you how Microsoft 365 groups can be used to set classification features, expiration policies, and naming policies, and finally, you learned how to archive, restore, and completely delete teams from within the Teams app.
In the next chapter, we will examine the options for configuring guest access for users outside of your organization in Microsoft Teams. You will learn how to access the Teams admin center to control and set the permissions for guest users, and how to configure the meeting, messaging, and calling experience for those guest users. Then, we will show you how to remove guests from Microsoft Teams, and how access reviews can be used to review the existing guest access to the teams in your environment. Finally, we will demonstrate how guest access settings may be controlled from the Azure AD portal.
As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:
a. Attribute
b. Vector
c. String
d. Vertices
a. True
b. False
a. 365 days
b. 730 days
c. 180 days
e. Custom
a. True
b. False
a. Azure Active Directory | Properties
b. Azure Active Directory | Users
c. Azure Active Directory | Groups
d. Azure Active Directory | User settings
a. 14 days
b. 25 days
c. 30 days
d. 50 days
a. True
b. False
a. Pre-built Teams templates may not be edited.
b. Pre-built Teams templates may be duplicated.
c. Pre-built Teams templates may be edited.
d. Pre-built Teams templates can include channels and apps.
a. True
b. False
a. True
b. False
Here are links to more information on some of the topics that we have covered in this chapter:
Configuring classifications, expiration policies, and naming policies for Microsoft 365 groups and Microsoft Teams
Configuring classifications, expiration policies, and naming policies for Microsoft 365 groups and Microsoft Teams
Configuring classifications, expiration policies, and naming policies for Microsoft 365 groups and Microsoft Teams
Configuring classifications, expiration policies, and naming policies for Microsoft 365 groups and Microsoft Teams
13.58.184.90